Browsing Research documents by Subject "edb-kriminalitet"

Addressing the Procedural Stages of Computer Crime in an Organisational Context

Willison, Robert(København, 2005)

[More information]

[Less information]

Abstract:

IS security represents a growing concern for organisations. Although hackers and viruses are often the basis of such concerns, the inside threat of employee computer crime should not be underestimated. From an academic perspective, there are a modest but growing number of texts which examine the ‘insider’ problem. While attention has been given to the influence on offender actions through deterrent safeguards, there has been a lack of insight into the interactive relationship between offender choices made during the actual perpetration of computer crimes, and the context in which such crimes take place. Knowledge of this relationship would be of obvious interest to practitioners who would aim to manipulate the environment and influence offender choices accordingly. To address this oversight, this paper, therefore, advances two criminological theories which it is argued can be used to examine the stages an offender must go through in order for a crime to be committed i.e. the ‘procedural stages’ of computer crime. Hence, this paper illustrates how the two theories, entitled the rational choice perspective and situational crime prevention, can be applied to the IS domain, thereby offering a theoretical basis on which to analyse offender choices/behaviour during perpetration. Through such an analysis greater insights may be offered into selecting appropriate safeguards to prevent computer crime.

Systems risk refers to the likelihood that an IS is inadequately guarded against certain types of damage or loss. While risks are posed by acts of God, hackers and viruses, consideration should also be given to the ‘insider’ threat of dishonest employees, intent on undertaking some form of computer abuse. Against this backdrop, a number of researchers have addressed the extent to which security managers are cognizant of the very nature of systems risk. In particular, they note how security practitioners’ knowledge of local threats, which form part of such risk, is often fragmented. This contributes to situations where risk reducing efforts are often less than effective. Security efforts are further complicated given that the task of managing systems risk requires input from a number of departments including, for example, HR, compliance, IS/IT and physical security. In a bid to complement existing research, but also offer a fresh perspective, this paper addresses systems risk from the offender’s perspective. If systems risk entails the likelihood that an IS is inadequately protected, this text considers those conditions, within the organisational context, which offer a criminal opportunity for the offender. To achieve this goal a model known as the ‘Crime Specific Opportunity Structure’ is advanced. Focussing on the opportunities for computer abuse, the model addresses the nature of such opportunities with regards to the organisational context and the threats posed by rogue employees. Drawing on a number of criminological theories, it is believed the model may help inform managers about local threats and, by so doing, enhance safeguard implementation.

Employee computer crime represents a substantial threat for organisations. Yet information security researchers and practitioners currently lack a clear understanding of how these crimes are perpetrated, which, as a consequence, hinders security efforts. We argue that recent developments in criminology can assist in addressing the insider threat. More specifically, we demonstrate how an approach, entitled Situational Crime Prevention, can not only enhance an understanding of employee computer crime, but also strengthen security practices which are designed to address this problem.

Files in this item: 1

There is currently a paucity of literature focusing on the relationship between the
actions of staff members, who perpetrate some form of computer abuse, and the
organisational environment in which such actions take place. A greater understanding
of such a relationship may complement existing security practices by possibly
highlighting new areas for safeguard implementation. To help facilitate a greater
understanding of the offender/environment dynamic, this paper assesses the feasibility
of applying criminological theory to the IS security context. More specifically, three
theories are advanced, which focus on the offender’s behaviour in a criminal setting.
Drawing on an account of the Barings Bank collapse, events highlighted in the case
study are used to assess whether concepts central to the theories are supported by the
data. It is noted that while one of the theories is to be found wanting in terms of
conceptual sophistication, the case can be made for the further exploration of applying
all three in the IS security context.

Files in this item: 1

While hackers and viruses fuel the IS security concerns for organisations, the problems posed by employee computer crime should not be underestimated. Indeed, a growing number of IS security researchers have turned their attention to the ‘insider’ threat. However, to date, there has been a lack of insight into the relationship between the actual behaviour of offenders during the perpetration of computer crime, and the organisational context in which the behaviour takes place. To address this deficiency, this paper advances two criminological theories, which it is argued can be used to examine the stages an offender must go through in order for a crime to be committed. In addition, this paper illustrates how the two theories, entitled the Rational Choice Perspective and Situational Crime Prevention, can be applied to the IS domain, thereby offering a theoretical basis on which to analyse the offender/context relationship during the perpetration of computer crime. By so doing, practitioners may use these insights to inform and enhance the selection of safeguards in a bid to improve prevention programmes.